Risk Identification

ABSTRACT

Systems, methods and apparatuses for analyzing a string of terms (e.g., a search query, text of an email, and the like) are provided. In some examples, a determination is made as to whether one or more terms in the string matches a keyword. If so, various parts of speech of one or more terms in the string of terms may be determined. In some examples, a category of risk of the terms for which the part of speech is identified may also be determined. A risk rating may then be determined for the string of terms based on the relationship between the terms (e.g., the parts of speech) and the category or categories identified. In some examples, one or more additional actions may be implemented based on the risk rating.

BACKGROUND

Identifying and mitigating risk is a significant issue for companiestoday. One important aspect to identifying and mitigating risk isunderstanding how employees are using employer-provided computingdevices. Accordingly, companies often monitor activity on theseemployer-provided devices. For instance, employers may monitor andevaluate search queries such as those input into an Internet searchengine. In another example, employers may monitor email content ofemployees. Conventional systems of monitoring these activities includeanalyzing the content to determine whether any of the terms used matchkeywords identified as indicating risk. However, this system ofidentifying keywords results in many false positives because a wordmatching a keyword may be used as different parts of speech that mayindicate different levels of risk. These conventional systems do notaccount for use of terms as different parts of speech and, thus, canprovide inaccurate results.

SUMMARY

The following presents a simplified summary in order to provide a basicunderstanding of some aspects of the disclosure. The summary is not anextensive overview of the disclosure. It is neither intended to identifykey or critical elements of the disclosure nor to delineate the scope ofthe disclosure. The following summary merely presents some concepts ofthe disclosure in a simplified form as a prelude to the descriptionbelow.

Aspects of the disclosure relate to methods, computer-readable media,and apparatuses for analyzing a string of terms (e.g., a search query,text of an email, and the like) and determining whether one of the termsmatches a keyword. If so, various parts of speech of one or more termsin the string of terms may be determined. In some examples, a categoryof risk of the terms for which the part of speech is identified may alsobe determined. A risk rating may then be determined for the string ofterms based on the relationship between the terms (e.g., the parts ofspeech) and the category or categories identified. In some examples, oneor more additional actions may be implemented based on the risk rating.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is illustrated by way of example and not limitedin the accompanying figures in which like reference numerals indicatesimilar elements and in which:

FIG. 1 illustrates an example operating environment in which variousaspects of the disclosure may be implemented.

FIG. 2 is an illustrative block diagram of workstations and servers thatmay be used to implement the processes and functions of certain aspectsof the present disclosure according to one or more aspects describedherein.

FIG. 3 illustrates an example risk identification system according toone or more aspects described herein.

FIG. 4 is an example method of identifying risk associated with a stringof terms according to one or more aspects described herein.

FIG. 5 is another example method of identifying risk associated with astring of terms according to one or more aspects described herein.

FIG. 6 is yet another example method of identifying risk associated witha string of terms according to one or more aspects described herein.

FIG. 7 illustrates one example table indicating identified risk ratingsand additional actions that may be implemented based on the risk ratingaccording to one or more aspects described herein.

DETAILED DESCRIPTION

In the following description of various illustrative embodiments,reference is made to the accompanying drawings, which form a parthereof, and in which is shown, by way of illustration, variousembodiments in which the claimed subject matter may be practiced. It isto be understood that other embodiments may be utilized, and thatstructural and functional modifications may be made, without departingfrom the scope of the present claimed subject matter.

It is noted that various connections between elements are discussed inthe following description. It is noted that these connections aregeneral and, unless specified otherwise, may be direct or indirect,wired or wireless, and that the specification is not intended to belimiting in this respect.

Various aspects of the arrangements described herein are related toidentifying risk associated with a string of terms, such as a searchquery or text of an electronic communication. The string of terms inputby a user who may be an employee of an entity and the computing deviceinto which the user is inputting the string of terms may be anentity-provided computing device for use by the user during the courseof business. The string of terms may be analyzed to determine whetherone or more predefined keywords are used. If so, a part of speech of oneor more terms within the string of terms may be determined in order toidentify the risk associated with the string. For instance, as will bediscussed more fully below, some terms may be used as different parts ofspeech (e.g., noun or verb) and the risk rating associated with the termmay be different based on how it is used in the string of terms (e.g.,the part of speech of the term in the string being analyzed). Once arisk rating has been determined, one or more additional actions oradditional processing of the string may be implemented in order tofurther understand and/or mitigate the risk. These and various otherarrangements will be discussed more fully below.

FIG. 1 depicts an illustrative operating environment in which variousaspects of the present disclosure may be implemented in accordance withone or more example embodiments. Referring to FIG. 1, computing systemenvironment 100 may be used according to one or more illustrativeembodiments. Computing system environment 100 is only one example of asuitable computing environment and is not intended to suggest anylimitation as to the scope of use or functionality contained in thedisclosure. Computing system environment 100 should not be interpretedas having any dependency or requirement relating to any one orcombination of components shown in illustrative computing systemenvironment 100.

Computing system environment 100 may include computing device 101 havingprocessor 103 for controlling overall operation of computing device 101and its associated components, including random-access memory (RAM) 105,read-only memory (ROM) 107, communications module 109, and memory 115.Computing device 101 may include a variety of computer readable media.Computer readable media may be any available media that may be accessedby computing device 101, may be non-transitory, and may include volatileand nonvolatile, removable and non-removable media implemented in anymethod or technology for storage of information such ascomputer-readable instructions, object code, data structures, programmodules, or other data. Examples of computer readable media may includerandom access memory (RAM), read only memory (ROM), electronicallyerasable programmable read only memory (EEPROM), flash memory or othermemory technology, compact disk read-only memory (CD-ROM), digitalversatile disks (DVD) or other optical disk storage, magnetic cassettes,magnetic tape, magnetic disk storage or other magnetic storage devices,or any other medium that can be used to store the desired informationand that can be accessed by computing device 101.

Although not required, various aspects described herein may be embodiedas a method, a data processing system, or as a computer-readable mediumstoring computer-executable instructions. For example, acomputer-readable medium storing instructions to cause a processor toperform steps of a method in accordance with aspects of the disclosedarrangements is contemplated. For example, aspects of the method stepsdisclosed herein may be executed on a processor on computing device 101.Such a processor may execute computer-executable instructions stored ona computer-readable medium.

Software may be stored within memory 115 and/or storage to provideinstructions to processor 103 for enabling computing device 101 toperform various functions. For example, memory 115 may store softwareused by computing device 101, such as operating system 117, applicationprograms 119, and associated database 121. Also, some or all of thecomputer executable instructions for computing device 101 may beembodied in hardware or firmware. Although not shown, RAM 105 mayinclude one or more applications representing the application datastored in RAM 105 while computing device 101 is on and correspondingsoftware applications (e.g., software tasks), are running on computingdevice 101.

Communications module 109 may include a microphone, keypad, touchscreen, and/or stylus through which a user of computing device 101 mayprovide input, and may also include one or more of a speaker forproviding audio output and a video display device for providing textual,audiovisual and/or graphical output. Computing system environment 100may also include optical scanners (not shown). Exemplary usages includescanning and converting paper documents, e.g., correspondence, receipts,and the like, to digital files.

Computing device 101 may operate in a networked environment supportingconnections to one or more remote computing devices, such as computingdevices 141 and 151. Computing devices 141 and 151 may be personalcomputing devices or servers that include any or all of the elementsdescribed above relative to computing device 101. Computing devices 141or 151 may be a mobile device (e.g., smart phone) communicating over awireless carrier channel.

The network connections depicted in FIG. 1 may include local areanetwork (LAN) 125 and wide area network (WAN) 129, as well as othernetworks. When used in a LAN networking environment, computing device101 may be connected to LAN 125 through a network interface or adapterin communications module 109. When used in a WAN networking environment,computing device 101 may include a modem in communications module 109 orother means for establishing communications over WAN 129, such asInternet 131 or other type of computer network. The network connectionsshown are illustrative and other means of establishing a communicationslink between the computing devices may be used. Various well-knownprotocols such as transmission control protocol/Internet protocol(TCP/IP), Ethernet, file transfer protocol (FTP), hypertext transferprotocol (HTTP) and the like may be used, and the system can be operatedin a client-server configuration to permit a user to retrieve web pagesfrom a web-based server. Any of various conventional web browsers can beused to display and manipulate data on web pages.

The disclosure is operational with numerous other general purpose orspecial purpose computing system environments or configurations.Examples of well-known computing systems, environments, and/orconfigurations that may be suitable for use with the disclosedembodiments include, but are not limited to, personal computers (PCs),server computers, hand-held or laptop devices, smart phones,multiprocessor systems, microprocessor-based systems, set top boxes,programmable consumer electronics, network PCs, minicomputers, mainframecomputers, distributed computing environments that include any of theabove systems or devices, and the like.

FIG. 2 depicts an illustrative block diagram of workstations and serversthat may be used to implement the processes and functions of certainaspects of the present disclosure in accordance with one or more exampleembodiments. Referring to FIG. 2, illustrative system 200 may be usedfor implementing example embodiments according to the presentdisclosure. As illustrated, system 200 may include one or moreworkstation computers 201. Workstation 201 may be, for example, adesktop computer, a smartphone, a wireless device, a tablet computer, alaptop computer, and the like. Workstations 201 may be local or remote,and may be connected by one of communications links 202 to computernetwork 203 that is linked via communications link 205 to server 204. Insystem 200, server 204 may be any suitable server, processor, computer,or data processing device, or combination of the same. Server 204 may beused to process the instructions received from, and the transactionsentered into by, one or more participants.

Computer network 203 may be any suitable computer network including theInternet, an intranet, a wide-area network (WAN), a local-area network(LAN), a wireless network, a digital subscriber line (DSL) network, aframe relay network, an asynchronous transfer mode (ATM) network, avirtual private network (VPN), or any combination of any of the same.Communications links 202 and 205 may be any communications linkssuitable for communicating between workstations 201 and server 204 (e.g.network control center), such as network links, dial-up links, wirelesslinks, hard-wired links, as well as network types developed in thefuture, and the like. A virtual machine may be a software implementationof a computer that executes computer programs as if it were a standalonephysical machine.

FIG. 3 illustrates one example risk identification system fordetermining risk associated with one or more strings of terms accordingto one or more aspects described herein. The system 300 may be part of,internal to or associated with an entity 302. The entity 302 may be acorporation, university, government entity, and the like. In someexamples, the entity 302 may be a financial institution, such as a bank.Although various aspects of the disclosure may be described in thecontext of a financial institution, nothing in the disclosure shall beconstrued as limiting the risk identification system to use within afinancial institution. Rather, the system 300, as well as variousmethods, and the like, described herein, may be implemented by variousother types of entities without departing from the invention.

The risk identification system 300 may include one or more modules thatmay include hardware and/or software configured to perform variousfunction within the system 300. For instance, the system may includeparsing module 304. The parsing module 304 may receive data including,for example, strings of terms, such as search queries, text from emailsor other electronic communications, and the like, and may parse thestrings into individual words. In some examples, the parsing module 304may receive data (e.g., search queries, text from communications, andthe like) from one or more computing devices 316 a-316 e. The computingdevices 316 may be provided to a user (e.g., an employee) by the entity302 (e.g., an employer of the employee) for use during the course ofbusiness and may include a smartphone 316 a, personal digital assistant(PDA) 316 b, tablet computer 316 c, cell phone 316 d, computer terminal316 e, among other types of computing devices. As with many businesses,any use of the employer or entity-[provided computing device 316 may bemonitored by the employer or entity. Accordingly, search queries,Internet usage, websites visited, content of email or other messages,and the like, may be monitored by the employer. In the arrangementsdescribed herein, the entity or employer may monitor thesecommunications to identify a risk associated with any of thecommunications or activities of the user (e.g., an indication that auser intends to misuse company resources or sensitive information, anindication that a user is looking to leave his/her position, anindication that the user is attempting to circumvent one or moresecurity measures implemented by the entity, and the like), as will bediscussed more fully below.

The parsing module 304 may be connected to or in communication with akeyword module 306. The keyword module 306 may include data storageidentifying one or more keywords. The keywords may be indicative of anincreased risk. For instance, some example keywords may include,“block,” “bypass,” “confidential,” and the like. Several other keywordsmay also be stored in the keyword module 306. The individual words fromthe data received by the parsing module may be analyzed to determinewhether one or more of the words matches a keyword stored in the keywordmodule 306. In some examples, keywords may be identified by anadministrator or other overseer of the system 300. In other examples,the keywords may be automatically stored based on historical dataindicating a risk associated with certain words.

The risk identification system 300 may further include a part of speechmodule 308. The part of speech module may be connected to or incommunication with the parsing module 304 and/or the keyword module 306.The part of speech module 308 may identify a part of speech of one ormore individual words identified in the received data. For instance, ifone word of the received word string matches a keyword, the part ofspeech of the word may be identified by the part of speech module 308.This may aid in determining the intent of the user inputting the searchquery, drafting the email, and the like. For instance, the term “bypass”may be identified as a keyword and the part of speech module 308 maydetermine whether “bypass” is used as a noun or a verb in the string.This may aid in determining whether there is a risk or a level of riskassociated with the word string, search query, and the like. Forinstance, if “bypass” is used as a noun in a search query (e.g., “bypassaround 1-495”) it may indicate less risk associated with the searchquery than if “bypass” is used as a verb (e.g., “bypass website block”).

In another example, other words in the string (e.g., words other than aword matching a keyword) may be analyzed to determine a part of speechas well. For instance, continuing the example above, the term “block”may, in some examples, not match a keyword but as the search query isanalyzed, the part of speech of “block” may be determined by the part ofspeech module 308 to further determine a risk associated with the searchquery. Accordingly, if “block” is used as a noun (as above “bypasswebsite block”) a greater risk may be associated with the search querythan if “block” is used as a verb (e.g., “block crab grass growth”).

The risk identification system 300 may further include a category module310. The category module 310 may be connected to or in communicationwith one or more of the parsing module 304, keyword module 306, and/orpart of speech module 308. The category module 310 may include one ormore categories of terms that may indicate risk. For instance, keywordsor terms may be sorted into categories such as intellectual propertytheft, information technology sabotage, unauthorized activity and/orbehavior. Various other categories may be used without departing fromthe invention. In some examples, if two or more terms in a string arewithin the same category, that may indicate an increased risk associatedwith the string. For instance, if the identified noun and verb in astring are within a same category, there is a greater chance that thestring is associated with activity not generally approved by the entityand, accordingly, a higher risk may be assigned to that string.

The risk identification system 300 may further include a risk ratingmodule 312. The risk rating module 312 may be connected to or incommunication with one or more of parsing module 304, keyword module306, part of speech module 308 and/or category module 308. The riskrating module 312 may receive data from the one or more other modulesand determine an overall risk associated with the word string. Forinstance, the risk rating module 312 may receive data associated withany keywords in the string, parts of speech of terms used, categories ofthe terms and whether any of the terms are in the same categories, andthe like. A risk associated with the word string may be determined andthe determined risk may be used to identify further processing for theword string and/or any additional steps taken, as will be discussed morefully below.

The risk identification system 300 may further include data storagemodule 314. Data storage module may include one or more databasesstoring terms, keywords, risk ratings, and the like. It may furtherinclude one or more processors and/or memory configured to identifyadditional keywords, refine risk ratings, and the like, based onhistorical data stored therein. For example, the data storage module 314may be configured to provide rule defined learning for the system toimprove accuracy of the risk ratings.

FIG. 4 illustrates one example method of implementing the riskidentification system. In step 400, a string of terms is received foranalysis, such as by parsing module 314 in FIG. 3. As discussed above,the string of terms may be a search query, such as an Internet searchquery input into a search engine, text from an email or other electroniccommunication, and the like. The string may be parsed as discussed aboveand, in step 402, a determination may be made as to whether one or moreterms in the string matches a keyword. If none of the words in thestring match any keywords, the process may end. For instance, if none ofthe terms match any of the keywords identified within the system, thestring may be considered to pose a low or minimal risk to the entityand, thus, would not undergo any further processing. In some examples, arisk rating may be identified for the string of terms and the rating maybe a low or the lowest possible ranking, thereby indicating the lowestlevel of identified risk.

If, in step 402, a determination is made that one or more of the termsmatches a keyword, the part of speech of the matching word may bedetermined in step 404. As discussed above, determining a part of speechof a word in the string may aid in identifying risk associated with thestring. For instance, some words, when used as a first part of speech,may indicate little or no risk. However, when used as another part ofspeech, the word may indicate increased or high risk. For instance, theterm “bypass” may be used as a noun in a variety of contexts that wouldindicate minimal risk (e.g., bypass on a highway, heart bypass, and thelike). However, when used as a verb, “bypass” may indicate a user isattempting to circumvent one or more security measures put in place bythe entity. For instance, the user may be conducting a search toidentify ways to circumvent or bypass a website block instituted by theentity. Accordingly, determining a part of speech may aid in determiningthe intent of the user when the string of terms was used (e.g., was theuser attempting to circumvent security measures or simply conductingresearch to avoid traffic).

In another example, the term “resume” may be used to as a verb toindicate taking up an action but may also be used as a noun “resume”(albeit without the appropriate accent marks to indicate the Frenchorigin which often do not appear when the term is used on Englishlanguage keyboards) to describe a person's summary of their wordexperience, and the like. A user searching or including text in an emailincluding the term “resume” may be using the term as a verb which wouldlikely indicate minimal or little risk. However, if the term is beingused as a noun, it may indicate that the user is looking for another jobor position and, in this instance, may be using entity resources toconduct a job search, apply for jobs, and the like, which would pose ahigher risk to the entity (e.g., the person may be leaving the position,the person may have access to confidential or sensitive information, andthe like).

In step 406, a part of speech of an additional word in the string isdetermined. For instance, if the keyword is identified as a verb, thesystem (such as the part of speech module 310) may identify the termused as a noun in the string. This may aid in providing additionalinformation about the risk associated with the string. For instance, ifthe term “bypass” matches a keyword and is identified as a verb, thesystem may identify the noun in the string. For instance, if the noun is“website” that may indicate that the user is looking to bypass one ormore Internet blocks that are implemented by the entity and the stringmay pose a risk to the entity. Alternatively, if the noun is “traffic”the user may simply be looking for ways to avoid traffic and the stringwould appear to pose little risk to the entity.

In step 408, a category of the keyword and the at least one additionalword may be identified or determined. As discussed above, various words(e.g., keywords, other common words associated with risk, and the like)may be sorted into categories, such as categories of type of risk. Someexample categories may include:

1. Behavior—this category may include various keywords or other wordsindicating an action or behavior associated with the user that mightinvolve risk. For instance, behavior may include terms indicating theuser is looking for another job.2. Information Technology Sabotage—this category may include variouskeywords or other words indicating the user may be a technical insiderand may be looking to use his/her insider knowledge in an unauthorizedmanner. For instance, the user may be looking to download confidentialor sensitive information to a portable drive in order to transmit itoutside of the entity.3. Unauthorized access—this category may include various words orkeywords indicating the user intends or is involved in unauthorizedactivity such as theft, misuse of company information, and the like.4. Intellectual property theft—this category may include various wordsor keywords indicating that the user is or plans to attempt to bypassone or more controls implemented by the entity. For instance, the usermay be attempting to access information he/she is not authorized toaccess or may be attempting to circumvent one or more security measuresimplemented by the entity.

Although four categories are described herein, more or fewer, as well asother, categories may be used with the risk identification systemwithout departing from the invention.

In step 410, a determination may be made as to whether the determinedcategory for the keyword (for which the part of speech has beendetermined) and the determined category for the at least one additionalword (for which the part of speech has been determined) are the samecategory. In some examples, the keyword and the additional word being inthe same category may indicate an increased or higher potential risk.For instance, if two words are within the same category then itincreases the likelihood that the string of terms being analyzed isassociated with user activity that is not appropriate on an entityprovided computing device (e.g., unauthorized, ill-advised, or thelike). Accordingly, if, in step 410 a determination is made that the twowords are within the same category, then, in step 412 a risk level orrating associated with the text being analyzed may be determined. Therisk rating may be determined based on the identified terms, identifiedparts of speech, and/or the determined category.

If, in step 410, a determination is made that the terms are not in thesame category, then a risk rating associated with the string beinganalyzed is determined in step 414. The risk level may be based, atleast in part, on the determined part of speech and the determinedcategory for each term.

FIG. 5 illustrates another example method of implementing the riskidentification system described herein. In step 500 a string of terms isreceived for analysis. Similar to the arrangements discussed above, thestring may include a search query, such as from an Internet searchengine, text from an email or other electronic communication (e.g., SMSmessage) and the like. In step 502, the string may be parsed and adetermination may be made as to whether one or more of the words in thestring matches a keyword listing of the system. If none of the wordsbeing analyzed match any keywords, the process ends and no furtheraction or processing may be performed on the string.

Alternatively, if in step 502, a determination is made that the stringdoes include a term matching a keyword, then a noun and a verb in thestring may be identified in step 504. For instance, the noun and verbmay be identified by the system, such as by a part of speech module 310.In step 506, a category of each of the identified noun and theidentified verb may be determined. The categories identified may besimilar to the categories discussed above or may include othercategories.

In step 508 a determination may be made as to whether the noun and verbare in the same category. Similar to the arrangements above, theidentified noun and verb of the same category may indicate an increasedrisk from a string in which the noun and verb are in differentcategories. If the noun and verb are not in the same category, the riskassociated with the string may be determined in step 514 based on theterm and the categories into which the terms (e.g., the identified nounand verb) are placed.

If, in step 508, the noun and verb are in the same category, anadjective may be identified in the string in step 510. Identification ofthe adjective (e.g., the term acting as the adjective in the sentence)may aid in identifying a risk level associated with the string becauseit may indicate the intent of the user. For instance, if the phrase“download confidential information” is input into an Internet searchengine, the noun “information” and verb “download” may be in the samecategory and may indicate a risk. However, the addition of the adjective“confidential” raises that identified risk rating.

Once the adjective is identified and evaluated, a risk level may bedetermined for the string in step 512. The risk level may be determinedbased on the terms and categories of each term. For instance, therelationship of the terms (e.g., parts of speech of each term,categories, and the like) may aid in identified the risk levelassociated with the string being analyzed.

FIG. 6 illustrates yet another example method of implementing the riskidentification system described herein. In step 600, a string of termsis received for analysis and in step step 602 a determination is made asto whether the string includes a keyword. If so, the part of speech ofthe keyword is determined in step 604.

In step 606, a determination is made as to whether the part of speech ofthe word matching the keyword is a verb. If so, the system may identifya noun in the string in step 608. If, in step 606, the part of speech ofthe term matching the keyword is not a verb, a determination is made instep 610 as to whether the term matching the keyword is a noun. If not,the process moves to step 608 to identify the noun in the string. If, instep 610, the term is a noun, then, in step 612, a verb in the stringmay be identified. In some instances, identifying the noun and verb in astring may include identifying a category of the noun and verb, similarto the arrangements discussed above.

In step 614, a determination is made as to whether the noun and verb arein the same category. If not, a risk level of rating of the string isdetermined in step 618. The risk rating may be based on the terms,categories and relationship between the terms. If, in step 614, the nounand verb are in the same category, an adjective in the string may beidentified in step 616. The risk rating of the string may then bedetermined in step 618 and may be based on the terms (e.g., noun, verband adjective), category, and relationship between the terms.

In step 618, any additional processing or actions associated with thestring may be identified. For instance, based on the risk level or riskrating determined, one or more additional processing steps or furtheractions may be identified and/or implemented to mitigate the identifiedrisk. Although the step of identifying additional processing isdiscussed in association with the method illustrated in FIG. 6, the stepof identifying additional processing and actions may be performed in anyof the methods described herein (e.g., methods illustrated in FIG. 4 or5) or in any implementation of the risk identification system.

FIG. 7 illustrates one example table 700 listing the identified riskratings and responses taken to a particular risk rating. Although fiverisk ratings are shown in FIG. 7, more or fewer risk rating levels maybe used without departing from the invention.

Column 702 identifies the various risk ratings that may be identifiedfor a string of terms being analyzed. The ratings shown extending from 1to 5 and may include 1 being the highest risk and 5 being the lowestrisk, or vice versa with 1 being the lowest risk and 5 being the highestrisk. For simplicity, the remainder of the discussion of FIG. 7 willtreat the risk ratings as 1 being the lowest risk and 5 being thehighest risk.

Accordingly, one a string is analyzed and a risk rating is determined,any additional processing or actions may be determined from table 700 orsimilar tables. For instance, a risk rating of 1 may be identified for astring. The risk rating of 1 may be identified if, for example, there isno word in the string that matches a keyword. In response to a riskrating of 1, response 1 from additional action(s) column 704 may beimplemented. Because rating 1 is the lowest risk, response 1 may includeactions such as continuing to monitor the user as normal or take nofurther action.

In another example, a risk rating of 3 may be identified in situationsin which, for example, there is a keyword match but the noun and verb inthe string are not in the same category. In this example, response 3 maybe implemented and may include further review of search queries orcommunications associated with the user. Response 3 may also includeplacing tighter controls on the user (e.g., monitor new communicationsmore frequently, log all activity of the user, and the like), furtherprocessing the string of terms to confirm risk associated with thestring of terms, and the like.

In yet another example, a risk rating of 5 may be identified insituations in which, for instance, there is a keyword match and the nounand verb are in the same category. Risk rating of 5 may also include anadjective indicative of malicious or otherwise unauthorized intent ofthe user. Accordingly, response 5 may be implemented and the situationmay be escalated to confront the user, seize his or her entity providedcomputing devices, modify permissions or access to information of theuser, and the like.

The risk identification methods, systems, and the like, described hereinprovide an accurate and objective way to identify risk associated withuser of a computing device. As discussed above, by determining differentparts of speech of terms in a string of terms, and thereby understandingthe relationship between the terms, risk can be more accuratelyidentified and additional processing steps may be better tailored to theparticular risk. Because fewer false positives may be identified by thesystem described herein than by conventional systems and methods, a moreefficient and accurate system and method of determining risk isprovided.

Various aspects described herein may be embodied as a method, anapparatus, or as one or more computer-readable media storingcomputer-executable instructions. Accordingly, those aspects may takethe form of an entirely hardware embodiment, an entirely softwareembodiment, or an embodiment combining software and hardware aspects.Any and/or all of the method steps described herein may be embodied incomputer-executable instructions stored on a computer-readable medium,such as a non-transitory computer readable medium. Additionally oralternatively, any and/or all of the method steps described herein maybe embodied in computer-readable instructions stored in the memory of anapparatus that includes one or more processors, such that the apparatusis caused to perform such method steps when the one or more processorsexecute the computer-readable instructions. In addition, various signalsrepresenting data or events as described herein may be transferredbetween a source and a destination in the form of light and/orelectromagnetic waves traveling through signal-conducting media such asmetal wires, optical fibers, and/or wireless transmission media (e.g.,air and/or space).

Aspects of the disclosure have been described in terms of illustrativeembodiments thereof. Numerous other embodiments, modifications, andvariations within the scope and spirit of the appended claims will occurto persons of ordinary skill in the art from a review of thisdisclosure. For example, one of ordinary skill in the art willappreciate that the steps illustrated in the illustrative figures may beperformed in other than the recited order, and that one or more stepsillustrated may be optional in accordance with aspects of thedisclosure. Further, one or more aspects described with respect to onefigure or arrangement may be used in conjunction with other aspectsassociated with another figure or portion of the description.

What is claimed is:
 1. An apparatus, comprising: at least one processor;and a memory storing computer-readable instructions that, when executedby the at least one processor, cause the apparatus to: receive a stringof terms; determine whether the string of terms includes at least oneword matching a keyword of a keyword listing; responsive to determiningthat the string of terms includes at least one word matching thekeyword, identify at least a noun and a verb in the string of terms;identify a category of risk associated with the noun and a category ofrisk associated with the verb; determine whether the identified categoryof risk associated with the noun and the identified category of riskassociated with the verb are a same category of risk; responsive todetermining that the identified category of risk associated with thenoun and the identified category of risk associated with the verb arethe same category, determine a first risk rating of the string of termsbased on the identified noun, the identified verb and the same category;and responsive to determining that the identified category of riskassociated with the noun and the identified category of risk associatedwith the verb are different categories, determine a second risk ratingof the string of terms based on the identified noun, the identifiedverb, the identified category of risk associated with the noun and theidentified category of risk associated with the verb, the second riskrating being different from the first risk rating.
 2. The apparatus ofclaim 1, further including instructions that, when executed, cause theapparatus to: identify an adjective in the string of terms and determinea third risk rating of the string of terms based on the identified noun,identified verb, identified category of risk associated with the noun,identified category of risk associated with the verb and the adjective,the third risk rating being different from at least one of the firstrisk rating and the second risk rating.
 3. The apparatus of claim 1,wherein the categories of risk include at least one of: behavior,information technology sabotage, unauthorized access, and intellectualproperty theft.
 4. The apparatus of claim 1, further includinginstructions that, when executed, cause the apparatus to identify anadditional action to implement based on the identified risk rating. 5.The apparatus of claim 4, wherein the additional action includesaltering access to information available to a user associated with thestring of terms.
 6. The apparatus of claim 1, wherein the sting of termsis input into a computing device by a user.
 7. The apparatus of claim 6,wherein the user is an employee of an entity and the computing device isprovided to the user by the entity for use as an employee of the entity.8. A method, comprising: receiving, by a risk identification systemhaving at least one processor, a string of terms; determining, by therisk identification system, whether the string of terms includes atleast one word matching a keyword of a keyword listing; responsive todetermining that the string of terms includes at least one word matchingthe keyword, identifying, by the risk identification system, at least anoun and a verb in the string of terms; identifying, by the riskidentification system, a category of risk associated with the noun and acategory of risk associated with the verb; determining, by the riskidentification system, whether the identified category of riskassociated with the noun and the identified category of risk associatedwith the verb are a same category of risk; responsive to determiningthat the identified category of risk associated with the noun and theidentified category of risk associated with the verb are the samecategory, determining, by the risk identification system, a first riskrating of the string of terms based on the identified noun, theidentified verb and the same category; and responsive to determiningthat the identified category of risk associated with the noun and theidentified category of risk associated with the verb are differentcategories, determining, by the risk identification system, a secondrisk rating of the string of terms based on the identified noun, theidentified verb, the identified category of risk associated with thenoun and the identified category of risk associated with the verb, thesecond risk rating being different from the first risk rating.
 9. Themethod of claim 8, further including: identifying, by the riskidentification system, an adjective in the string of terms; anddetermining, by the risk identification system, a third risk rating ofthe string of terms based on the identified noun, identified verb,identified category of risk associated with the noun, identifiedcategory of risk associated with the verb and the adjective, the thirdrisk rating being different from at least one of the first risk ratingand the second risk rating.
 10. The method of claim 8, wherein thecategories of risk include at least one of: behavior, informationtechnology sabotage, unauthorized access, and intellectual propertytheft.
 11. The method of claim 8, further including identifying, by therisk identification system, an additional action to implement based onthe identified risk rating.
 12. The method of claim 11, wherein theadditional action includes altering access to information available to auser associated with the string of terms.
 13. The method of claim 8,wherein the sting of terms is input into a computing device by a user.14. The method of claim 13, wherein the user is an employee of an entityand the computing device is provided to the user by the entity for useas an employee of the entity.
 15. One or more non-transitorycomputer-readable media having computer-executable instructions storedthereon that, when executed, cause at least one computing device to:receive a string of terms; determine whether the string of termsincludes at least one word matching a keyword of a keyword listing;responsive to determining that the string of terms includes at least oneword matching the keyword, identify at least a noun and a verb in thestring of terms; identify a category of risk associated with the nounand a category of risk associated with the verb; determine whether theidentified category of risk associated with the noun and the identifiedcategory of risk associated with the verb are a same category of risk;responsive to determining that the identified category of riskassociated with the noun and the identified category of risk associatedwith the verb are the same category, determine a first risk rating ofthe string of terms based on the identified noun, the identified verband the same category; and responsive to determining that the identifiedcategory of risk associated with the noun and the identified category ofrisk associated with the verb are different categories, determine asecond risk rating of the string of terms based on the identified noun,the identified verb, the identified category of risk associated with thenoun and the identified category of risk associated with the verb, thesecond risk rating being different from the first risk rating.
 16. Theone or more non-transitory computer-readable media of claim 15, furtherincluding instructions that, when executed, cause the at least onecomputing device to: identify an adjective in the string of terms; anddetermine a third risk rating of the string of terms based on theidentified noun, identified verb, identified category of risk associatedwith the noun, identified category of risk associated with the verb andthe adjective, the third risk rating being different from at least oneof the first risk rating and the second risk rating.
 17. The one or morenon-transitory computer-readable media of claim 15, wherein thecategories of risk include at least one of: behavior, informationtechnology sabotage, unauthorized access, and intellectual propertytheft.
 18. The one or more non-transitory computer-readable media ofclaim 15, further including instructions that, when executed, cause theat least one computing device to identify an additional action toimplement based on the identified risk rating.
 19. The one or morenon-transitory computer-readable media of claim 18, wherein theadditional action includes altering access to information available to auser associated with the string of terms.
 20. The one or morenon-transitory computer-readable media of claim 15, wherein the sting ofterms is input into a computing device by a user, and wherein the useris an employee of an entity and the computing device is provided to theuser by the entity for use as an employee of the entity.